This article can also be found in the Premium Editorial Download "Information Security magazine: Successful cloud migrations require careful planning."
Download it now to read this article plus other related content.
Some of the most intriguing storylines to emerge from the crisis in Egypt are those related to the attempts by the Egyptian government to control the flow of information in and out of the country. The reaction of the Egyptian government to the social unrest included the disruption of voice and data communications, resulting in what appears to be the first intentional deployment of a "kill switch" -- the intentional shutdown of Internet access -- by a central government as a political tool. Simultaneously, there has been continued debate over the merits of the so-called "Internet kill switch" within the U.S., described by proponents as an important tool to blunt widespread cyberattacks.
Despite recent reassurances by policymakers such as Sen. Joseph Lieberman that an Internet kill switch is not in the nation's best interests or immediate future, political winds change quickly. Therefore, the information security industry would be well served by explaining why the concept should be eliminated from discussion about cybersecurity guidance, regulation and policy.
First off, enabling the shutdown of even a piece of the U.S. Internet architecture would be an overly broad technical control that is unmatched to any technical threat. Public statements asserting the need for such capabilities have relied on vague descriptions of the risks the kill switch is intended to mitigate. Supporters are similarly unable to point us to actual past events that demonstrate
The nature of the distributed Internet architecture, the availability of multiple Internet access mechanisms, inexpensive peer-to-peer capabilities, and the subjective nature of technical threats and vulnerabilities, among other factors, make the implementation of a kill switch practically impossible. Supporters of the concept ignore the depth of integration of U.S. business, government and general public resources with the Internet.
The U.S. Senate Committee on Homeland Security and Governmental Affairs last June asserted the president was granted kill switch powers under the Communications Act of 1934, and suggested a proposed law, S. 3480, Protecting Cyberspace as a National Asset Act of 2010, would establish limits on broad presidential powers. Intended to quell "myths" about S. 3480, the committee's memo raised more questions than answers. For example, it didn't explain the characteristics of a bona fide "cyber emergency," yet asserted that the threat of a catastrophic cyberattack is not a matter of "if" it will happen, but rather when. The document failed to present any examples or scenarios where disconnecting service would actually protect assets or aid recovery.
Another important consideration is that the legal, business and political landscapes have evolved since 1934, and a law intended to control a first-generation, centrally managed, land-line telephone system may not be applicable to the present context. The degree of reliance on telephone service in 1934 did not at all approach the level of dependency that business, governments and citizens have on the Internet today. Early telephone systems provided support for voice communications, whereas the Internet is arguably the single most important business resource for many organizations. The phone system of 1934 was also the product of a closely regulated monopoly that enjoyed true ownership and control over all architectural assets. The Internet, on the other hand, is largely a system of standards and interface rules that enable communication between diverse information resources, which are owned by numerous private entities that rely on it to offer services in a competitive, global private sector. Therefore, any federally directed shutdown would disrupt intrastate and interstate commerce, as well as international businesses. The global economy includes U.S. companies that provide contracted services to foreign customers; the capability of government to halt Internet communications would threaten the ability of private enterprises to deliver global services. Likewise, a shutdown would technically cripple organizations that have embedded cloud computing and other virtualized resources into their architectures as they would be unable to function without appropriate connectivity.
The mantra of "just shut it off" is not a particularly well-designed technical control and its prominence in emerging regulation suggests either a lack of understanding of the architecture and our reliance on it, or the existence of other non-stated goals. Kill switch capabilities would provide very little in the way of protection against genuine cyberthreats, but would certainly succeed in delivering even more power to the federal bureaucracy and potentially severe and unnecessary disruption to businesses. It may not be much of a stretch to conclude the kill switch could be a formidable political tool, although it may not be a very effective one, as seen when Egyptian citizens applied technical innovation to overcome the shutdown, such as using voice-to-text services to maintain a social media presence.
Ours is a government of checks and balances, and the separation of powers is codified in our system of governance on federal and state levels. Overstepping the U.S. Constitution in the name of theorized cyberthreats would be harmful, disruptive, and of little genuine cybersecurity benefit. A kill switch ignores the property rights of the private sector owners of the systems and resources the Internet relies on. It's a poorly conceived control that reflects a fundamental lack of understanding of Internet architectures and risks on the part of its proponents. And that seems to suggest cybersecurity is perhaps not the primary objective.
Paul Rohmeyer is a faculty member in the graduate school at Stevens Institute of Technology. He provides technology risk management guidance to firms in the financial services industry, and previously held management positions in the financial services, telecommunications and pharmaceutical industries. Send comments on this column to firstname.lastname@example.org
This was first published in April 2011